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Agenda 


Hour 1 
e Part 1: Quick RJMP to AVR + Introduction example 


Hours 2-3: 
e Part 2: Pre-exploitation 
e Part 3: Exploitation and ROP-chains building 
e Part 4: Post-exploitation and tricks 


Hour 4: 
e Mitigations 
e CFP! (Powered by Roman Bazhin) 


If you have a 
question, please 


interrupt and ask 
immediately 


Disclaimer: 
1) Workshop | js VERY fast-paced. 
2) Workshop is highly-practical 
3) You may encounter information 
overflow 


Part 1: What is AVR? 


AVR 


e Alf (Egil Bogen) and Vegard (Wollan)'s RISC processor 
* Modified Harvard architecture 8-bit RISC single-chip microcontroller 
* Developed by Atmel in 1996 (now Dialog/Atmel) 
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Image: https://de.wikipedia.org/wiki/Atmel AVR 


AVR is almost everywhere 


e Industrial PLCs and gateways 

e Home electronics: kettles, irons, weather stations, etc 
e lol 

* HID devices (ex.: Xbox hand controllers) 


* Automotive applications: security, safety, powertrain and 
entertainment systems. 


* Radio applications (and also Xbee and Zwave) 
e Arduino platform 
e Your new shiny loE fridge ;) 


AVR inside industrial gateway 


Synapse loT module with Atmega128RFA1 inside 


Philips Hue Bulb 


http://www .eetimes.com/document.asp?doc id=1323739&image number=1 


AVR inside home automation dimmer 


Harvard Architecture 


Harvard Architecture 


e Physically separated storage and signal pathways for instructions and 
data 


e Originated from the Harvard Mark I relay-based computer 


Instruction 


Image: https://en.wikipedia.org/wiki/Harvard architecture 


Modified Harvard architecture... 


... allows the contents of the instruction memory to be accessed as if it were data! 


'but not the data as code! 
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Introduction example: 
We're still able to exploit! 


AVR “features” 


AVR-8 


e MCU (MicroController Unit) -- single computer chip designed for 
embedded applications 


e Low-power 

* Integrated RAM and ROM (SRAM + EEPROM + Flash) 
* Some models could work with external SRAM 

e 8-bit, word size is 16 bit (2 bytes) 

* Higher integration 

* Single core/Interrupts 

e Low-freq (<20MHz in most cases) 


Higher Integration 


Built-in SRAM, EEPROM an Flash 
GPIO (discrete 1/0 pins) 

UART(s) 

12C, SPI, CAN, ... 

ADC 

PWM or DAC 

Timers 

Watchdog 

Clock generator and divider(s) 
Comparator(s) 

In-circuit programming and debugging support 


AVRs are very different 


e AtTiny13 
e Up to 20 MIPS Througput at 20 MHz 
* 64 SRAM/64 EEPROM/1k Flash 


* Timer, ADC, 2 PWMs, Comparator, 
internal oscillator 


e 0.24mA in active mode, 0.0001mA in 
sleep mode 


AVRs are very different 


e Atmega32U4 

e 2.5k SRAM/1k EEPROM/32k Flash 
e JTAG 

e USB 


e PLL, Timers, PWMs, Comparators, 
ADCs, UARTs, Temperatures sensors, 
SPI, I2C, ... => tons of stuff 


AVRs are very different 


e Atmegal28 
e 4k SRAM/4k EEPROM/128k Flash 
e JTAG 


e Tons of stuff:... < NIMEQAL2S 
16AU 001 


A AlmEL 


In the rest of the workshop we will focus on this chip 


Why Atmega128? 


e Old, but very widespread chip. 


e At90can128 — popular analogue for CAN buses in automotive 
application 


* Cheap JTAG programmer 
e Much SRAM == ideal for ROP-chain construction training 


Let's look to the architecture of Atmega128... 
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DATA DIR. 
REG. PORTB 
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DATA REGISTER DATA DIA. DATA REGISTER 
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PGO - PG4 


PDO - POT 


nerator.net 


Ok, ok, let's simplify a bit © 


Data Bus 
Program 
Memory 


Program Status 
Counter and Control 
Instruction General 
Register Purpose 
Registrers 


Instruction 
Decoder 


HO Modules 


Control Lines 


Direct Addressing 
Indirect Addressing 


EEPROM 


Image: http://www.cs.jhu.edu/~jorgev/cs333/usbkey/uC_3.JPG 


Note: code is separated from data 


Memory map 


Figure 9. Data Memory Map 


Memory: registers 


e R1-R25 — GPR 


e X,Y,Z — pair “working” 
registers, e.g. for memory 
addressing operations 


e |/O registers — for accessing 
different “hardware” 


AVR Register File 


X Pointer 
Y Pointer 


Z Pointer 


Memory: special registers 
e PC— program counter, 16-bit register 
e SP — stack pointer, 16-bit register (SPH:SPL) 


e SREG - status register (8-bit) 


Memory addressing 
e SRAM/EEPROM — 16-bit addressing, 8-bit element 


e Flash — 16(8)-bit addressing, 16-bit element 


LPM 


command! 


Memory addressing directions 


e Direct to register 

e Direct to I/O 

e SRAM direct 

e SRAM indirect (pre- and post- increment) 
e Flash direct 


Datasheets are your best friends! 


PAO - PA7 


DATA DIA. 
REG. PORTC 


PORTC DRIVERS 


DATA REGISTER 
PORTC 


DATA DIA, 
REG. PORTA 


PORTA DRIVERS 


DATA REGISTER 
PORTA 
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DATA DIA. 
REG. PORTF 
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PORTF DRIVERS 
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PORTF 
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Interrupts 


e Interrupts normal process of code 
execution for handling something 
or reacting to some event 


° Interrupt handler — procedure to 
be executed after interrupt; 
address stored in the interrupt 
vector 


e Examples of interrupts: 
e Timers 
* Hardware events 
* Reset 


Table 23. Reset and Interrupt Vectors 


Program 
Address ^ Interrupt Definition 
External Pin, Power-on Reset, Brown-out Reset 
$0000" | RESET 


Watchdog Reset, and JTAG AVR Reset 
| 2 | so | INTO External Interrupt Request O 
| 3 | sou | INT1 External Interrupt Request 1 
[ « | soos [112 | External interrupt Request 2 
[ s | sexe [mr | External interrupt Request 
| 6 | Soooa |NT4 | External Interrupt Request 4 
| 7 | sooo |wrs | External interrupt Request 5 
| 8 | soooe [int | External Interrupt Request 6 
| 9 | sooo | int? | External interrupt Request 7 
[ 10 | soo | TIMERZCOMP | TimeriCounter2 Compare Match 
31 | sors | rmenzove — | TimerCountera Overtow 
| 12 | $0016 | TIMERICAPT | Timer/Counteri Capture Event 
[13 | soos | TIMER! COMPA | Timer/Countert Compare Match A 
[14 | SOIA |TMER!COMPB | Timer/Counteri Compare Match B 
| 15 | SOC | TIMERIOVE | Timer/Countert Overflow 
| 16 | SOME | TIMEROCOMP | Timer/Counter0 Compare Match 
37 | soo | TMEROOVF —|TimerCounter Overtow 
| 18 | Soo22 |SPLSTC | SPI Serial Transfer Complete 
[ 19 | s0026 [usamroRx | USARTO Rx Compete 
[20 | Sos | USARTO, UDAE | USARTO Data Register Empty 
| 21 | s0028 | USARTOTX | USARTO, Tx Complete 
[22 | soma [ac |ADCCOnersion compas 


5a sone FF READY EEPROM Reariv 


AVR assembly 


Instruction types 


e Arithmetic and logic 

* Bit manipulation/test 

* Memory manipulation 

* Unconditional jump/call 
e Branch commands 

e SREG manipulation 

e Special (watchdog, etc) 


Instruction mnemonics 


mov Flo, EU i Copy rO to rlo 


out PORTA (16) > Write r16 to PORTA 


16-bit long 
"Intel syntax" (destination before source) 


A bit more about architecture 


Fuses and Lock Bits 


* Several bytes of permanent storage 


* Set internal hardware and features 
configuration, including oscillator 
(int or ext), bootloader, pin, ability to 
debug/programm, etc. 


e 2 lock bits controls programming 
protection. 


JTAGICE3 (130200010221) - Device Programming 
Tool Device Interface Device ID Target Voltage 
|JTAGICE3 = | ATxmegal28A1 ~ |JTAG v OX E 097 4C Read 33V |Read 
Interface settings Fuse Name lue 
Tool information O ITAGUSERID — 0x00 
@ WDWP 8CLK 
Device information 
M © wor BCLK 
Memories O ovsoo 
Fuses d : 
@ BOOTR APPLICATION v 
Lock bits po 
@ BODAC DISABLED v 
Production Signatures "cr 
@ BODPD DISABLED v 
Production file @ RSTOISB 
@ sur OMS v 
@ WDLOCK 
& JTAGEN y 
@ EESAVE y 
@ BODLVL 2l 
Fuse Register Value 
FUSEBYTEO — 0x00 
FUSEBYT 0x00 
FUSE x FF 
FUSE xFE 
FUS OxF5 
Copy to clipboard 
4| Auto read 
Y] Verify after programming Program. Verify Read 


= | Read registers...OK 


AVR bootloader — what is it? 


e Part of code that starts BEFORE RESET interrupt. 


* Could be used for self-programmable (i.e. without external device) 
systems, in case you need to supply firmware update for your loT 
device. 


e Bootloader address and behavior configured via FUSEs. 


* BLB lock bits controls bootloader ability to update application and/or 
bootloader parts of flash. 


AVR bootloaders 


* Arduino bootloader 

* USB bootloaders (AVRUSBBoot) 

* Serial programmer bootloaders (STK500-compatible) 
* Cryptobootloaders 


e Tons of them! 


Watchdog 


* Timer that could be used for interrupt or reset device. 


e Cleared with WDR instruction. 


WATCHDOG WATCHDOG 
OSCILLATOR PRESCALER 


WATCHDOG 
RESET 


OSCHZBEK 
_ OSCI/204BK 


WOPO 
WDP1 
WDP2 


WDE 


MCU RESET 


http://ardiri.com/blog/entries/20141028/watchdog.jpg 


Development for AVR 


Atmel studio 


File Edi View VAssist Project Build Debug Tools Window Help 


faa dd KDA I MES ETELE _ 2 — HANA eR) SBMS a IDA: 
E 
ja 


IFPI: mal ur alaa T|He [ri 25299, 1694] % s È aa ATmega32 T Notool selected; 


E E q IT 


=#ifndef F CPU 
#define F CPU 16000000UL // 16MHz clock speed Es Blinking LED 


sendif 24 Dependencies 
4 Output Files 


#include <avr/io.h> €) Blinking LED.c 


#include «util/delay.h» 
Sint main(void) 


DDRC = @xFF; //Makes PORTC 83 Output 
while(1) //infinite loop 


PORTC = @xFF; //Turns ON All LEDS] 
.delay ms(1000); //1 second delay 
PORTC= 0x00; //Turns OFF All LEDs 
delay ms(1000); //1 second delay 


1203 K 


osp s> Ewa, une Siege rra ue roop o € rg 


E: : \ATHEL extensions VAtse1 \AVRGCE\S : 4.1. 95\AVRToolchaia\bin\eve- objduap. exe” -h -S “Blinking LED.elf" > "Blinking LED.155” 
"E:\ATMEL\extensions\Atmel\AVRGCC\3.4,1.95\AVRToolchain\bin\avr-objcopy.exe" -O srec -R .eeprom -R .fuse -R „lock -R „signature “Blinking LED.elf” “Blinking LED.srec" 
"E:\ATMEL\extensions\Atmel\AVRGCC\3.4.1.95\AVRToolchain\bin\avr-size.exe” "Blinking LED.elf” 
text data bss dec hex filename 
200 e e 2ee c8 Blinking LED.elf 
Done executing task "RunCompilerTask". 
Task "RunOutputfFileVerifyTask" 


Budd succeeded 


AVR-GCC 


* Main compiler/debugger kit for the platform 
e Used by Atmel studio 
e Use “AVR libc” -- http://www.nongnu.org/avr-libc/ 


e Several optimization options, several memory models 


Other tools 


e Arduino 
e CodeVision AVR 
e |AR Embedded workbench 


Debugging AVR 


JTAG 


e Joint Test Action Group (JTAG) 
e Special debugging interface added to a chip 


e Allows testing, debugging, firmware manipulation and boundary 
scanning. 


LOAD 


e Requires external hardware 


TCK 


TMS 


SAY 195:e | 


TDI 


AVR JTAGlce3 


JTAG for AVRs 


AVR JTAG mkll 


Y 


AVR JTAG mkl 


Atmel ICE3 
AVR Dragon 


Avarice 


e Open-source interface between AVR JTAG and GDB 

* Also allow to flash/write eeprom, manipulate fuse and lock bits. 
e Could capture the exeuction flow to restore the firmware 

e Example usage: 


avarice --program --file test.elf --part atmegal28 --jtag /dev/ttyUSBO :4444 


AVR-GDB 


e Part of “nongnu” AVR gcc kit. 
* Roughly ported standard gdb to AVR platform 


* Doesn't understand Harvard architecture, i.e. to read flash you will 
need to resolve it by reference of Spc: 


(gdb) x/10b $pc + 100 


Simulators 


e Atmel Studio simulator 
e Proteus simulator 
e Simavr 


e Simulavr 


VM access: 


Login: radare 
Password: radare 


Ex 1.1: Hello world! EXA Mp); 


Real hardware 


cd /home/radare/workshop/ex1.1 
avarice --mkI --jtag /dev/ttyUSB0 -p -e --file build-crumbuinol28/ex1.1.hex -g :4242 


avr-gdb 


Communication: cutecom Or screen /dev/ttyUSBl 9600 


Simulator 


cd /home/radare/workshop/ex1.1 simulator 
simulavr -P atmegal28 -F 16000000 -f build-crumbuino128/ex1.1.elf 


avr-gdb 


Ex 1.2: Blink! XA Mp) 


Real hardware 


cd /home/radare/workshop/ex1.2 
avarice --mkI --jtag /dev/ttyUSB0 -p -e --file build-crumbuino128/ex1.2.hex -g :4242 


avr-gdb 


AVR RE 


Reverse engineering AVR binaries 


Pure disassemblers: 
e avr-objdump — gcc kit standard tool 


e Vavrdisasm -- https://github.com/vsergeev/vavrdisasm 


* ODAweb -- https://www.onlinedisassembler.com/odaweb/ 
“Normal” disassemblers: 

e IDA Pro 

e Radare 


IDA PRO: AVR specifics 


e Incorrect AVR elf-handling 

e Incorrect LPM command behavior 
e Addressing issues 

* Sometimes strange output 


* However, usable, but “with care” 


5H e, %, 
Reed A mm AIN I ol 


% A 


® 3.» DO dd? SX > 0 


Library function 7] Data J Regular function | Unexplored fM Instruction = Extemal symbol 


[7] Functions... DO © 


7) Output window 
Search completed 
Python 


o © (©) Hex View-1 — OR Structures QT Enums 
ROM:6SEC 000 E050 ldi 
ROM:6SED 000 EF6F ser 
ROM:6SEE 000 E070 ldi 
ROM:6SEF 000 8908 1dd 
ROM:65FO 000 8919 1dd 
ROM:65F1 000 892A 1dd 
ROM:65F2 000 8938 1dd 
ROM:6SF3 000 2304 and 
ROM:65F4 000 2315 and 
ROM:65FS 000 2326 and 
ROM:65F6 000 2337 and 
ROM:65F7 000 E088 ldi 
ROM:65F8 000 E090 ldi 
ROM:65F9 000 938A st 
ROM:65FA 000 940E A2B4 call 
ROM:65FC 000 2A60 or 
ROM:6SFD 000 2A71 or 
ROM:6SFE 000 2A82 or 
ROM:6SFF 000 2493 or 
ROM:6600 000 E040 ldi 
ROM:6601 000 E050 ldi 
ROM:6602 000 E060 lái 
ROM:6603 000 EF7F ser 
ROM: 6604 000 8908 léd 
ROM:6605 000 8919 ldd 
ROM:6606 000 892A léd 
ROM:6607 000 8938 1dd 
ROM:6608 000 2304 and 
ROM:6609 000 2315 and 


© ET Imports 
r21, 0 
r22 
r23, 0 
r16, Y+0x10 
r17, Y+0x11 
r18, Y+0x12 
r19, Y+0x13 
r16, r20 
r17, r21 
r18, r22 
r19, r23 
r24, 8 
r25, 0 
-Y, r24 
sub_A2B4 
r6, r16 
r?, r17 
r8, r18 
r9, r19 
r20, 0 
r21, 0 
r22, O 
r23 
r16, 
r17, 
r18, 
r19, 
r16, 
r17, 


MS Or > 
© [E Exports 
: Load Immediate 
; Set Register 
: Load Immediate 
; Load Indirect wi 
; Load Indirect wi 
; Load Indirect wi 
; Load Indirect wi 
; Logical AND 
; Logical AND 
- l AND 
: 1 AND 
: Load Immediate 
; Load Immediate 
: Store Indirect 
: Call Subroutine 
; Logical OR 
; Logical OR 
; Logical OR 
; Logical OR 
; Load Immediate 
; Load Immediate 
; Load Immediate 
; Set Register 
; Load Indirect wi 
; Load Indirect wi 
; Load Indirect wi 
; Load Indirect wi 
; Logical ANO 
; Logical AND 
noo 


Radare? 


* Opensource reverse engineering framework (RE, debugger, forensics) 
e Crossplatform (Linux, Mac, Windows,QNX,Android,iOS, ... 
e Scripting = pube a 


cfef ; set all bits in register 
d8e0 i ; LDI Rd,K. load immediate 
debf ; store register to 1/0 location 
E o cdbf ; store register to I/0 location 
e A lot of Architectures / file-formats m o nv | Lou metu 
a0e0 i ; LDI Rd,K. load immediate 
b1e0 i ; LDI Rd,K. load immediate 
ece5 i ; LDI Rd,K. load immediate 
Treo i ; LDI Rd,K. load immediate 
(J 02c0 ; relative jump 


... 0590 ; LPM. load programm memory 
0d92 ; ST X,Rr. store indirect 
; JMP XREF from 0x00000080 (fcn. 00000000) 


e N ae33 Ox3e ; compare with immediate 

* Without habitual GUI = uno 
d9f7 0x82 ; branch if not equal 
21e0 ldi 0x01 ; LDI Rd,K. load immediate 
aee3 ldi Ox3e ; LDI Rd,K. load immediate 
b1e0 ldi 0x01 ; LDI Rd,K. load immediate 
01c0 0x96 ; relative jump 
1d92 st ; ST X,Rr. store indirect 

; JMP XREF from 0x00000092 (fcn.00000000) 
a63e 0xe6 ; compare with immediate 
b207 ; compare with carry 
elf7 0x94 ; branch if not equal 
10e0 ldi 0x00 ; LDI Rd,K. load immediate 
cae6 1di Ox6a ; LDI Rd,K. load immediate 
ded ldi 0x00 ; LDI Rd,K. load immediate 
04c0 Oxac ; relative jump 
2297 sbiw 0x02 ; substract immediate from word 
fe01 movw ; copy register word 
0e94a107 ; 0x00000f42() ; fcn.00000000+3800 ; long call to a subroutine 
; JMP XREF from 0x000000a2 (fcn.00000000) 

c836 0x68 ; compare with immediate 
d107 ; Compare with carry 
c9f7 Oxa4 ; branch if not equal 


Radare2. Tools 


* radare2 * rarun2 
* rabin2 ° rax2 

* radiff2 * r2agent 
* rafind2 * ragg2 

* rasm2 * rahash2 


* r2pm * rasign2 


Radare2. Using 


e Install from git 


H git clone https://github.com/radare/radare2 


H cd radare2 
H sys/install.sh 

e Packages (yara, retdec / radeco decompilers, ...): 
# r2pm -i radare2 


* Console commands 
# r2 -d /bin/Is — debugging 
H r2 —a avr sample.bin — architecture 
H r2 —b 16 sample.bin — specify register size in bits 
H r2 sample.bin —i script — include script 


Radare2. Basic commands 


aaa — analyze 

axt — xrefs 

s — seek 

p — disassemble 

© - grep 

I — run shell commands 
/ — search 

/R- search ROP 

/c— search instruction 
? — help 


1124 
1fbe 
cfef 
d8e0 
debf 
cdbf 
11e0 
ade® 
b1e0 
ece5 

ed 
02c0 
0590 
0d92 


ae33 
b107 
d9f7 
21e0 
aee3 
b1e0 
01c0 
1d92 


a63e 
b207 
e1f7 
10e0 
cae6 
d0e0 
04c0 
2297 
fe01 
0e94a107 


c836 
d107 
c9f7 


clr ri 
0x3f, ri 
r28 
r29, 0x08 
Ox3e, r29 
Ox3d, r28 
r17, 0x01 
r26, 0x00 
r27, 0x01 
r30, Ox5c 
r31, 0x0f 
rjmp 0x86 
ro, Z+ 
X+, ro 


cpi r26, Ox3e 
cpc r27, ri? 
brne 0x82 
r18, 0x01 
r26, Ox3e 
r27, 0x01 
rjmp 0x96 
X+, ri 


cpi r26, Oxe6 
cpc r27, r18 
brne 0x94 
r17, 0x00 
r28, 0x6a 
r29, 0x00 
rjmp Oxac 
sbiw r28, 0x02 
movw r30, r28 
call Oxf42 


cpi r28, 0x68 
cpc r29, r17 
brne @xa4 


Radare2. Disassembling 


p? 
pd/pD - dissamble 
pi/pl — print instructions 
Examples: 
> pd 35 @ function 


[0x0000006a]> p? 
IUsage: p[=68abcdDfiImrstuxz] [argllen] 


p=[bep?] [blks] [len] [blk] 
p2 [len] 

p3 [file] 

p6[de] [len] 

p8[j] [len] 

pa[edD] [arg] 

pA[n ops] 

p[bIBIxb] [len] C[skip]) 
p[bB] [len] 

pc[p] [len] 
p[dD][ajbrfils] [sz] [a] [b] 
pf[?l.nam] [fmt] 
p[ir][df] [len] 

pm [magic] 

pr[glx] [len] 

p[kK] [len] 

ps[pwz] [len] 

pt[dn?] [len] 

pu[w] [len] 

pv[jh] [mode] 

p[xX][owq] [len] 


show entropy/printable chars/chars bars 

8x8 2bpp-tiles 

print stereogram (3D) 

base64 decode/encode 

8bit hexpair list of bytes 

pa:assemble pa[dD]:disasm or pae: esil from hexpairs 
show n_ops address and type 

bindump N bits skipping M 

bitstream of N bytes 

output C (or python) format 

disassemble N opcodes/bytes for Arch/Bits (see pd?) 
print formatted data (pf.name, pf.name $«expr») 

print N ops/bytes (f=func) (see pi? and pdi) 

print libmagic data (see pm? and /m?) 
print N raw bytes (in lines or hexblocks, 
print key in randomart (K is for mosaic) 
print pascal/wide/zero-terminated strings 
print different timestamps 

print N url encoded bytes (w-wide) 

bar |jsonlhistogram blocks (mode: e?search.in) 
hexdump of N bytes (o-octal, w=32bit, q-64bit) 
print zoom view (see pz? for help) 

display current working directory 


g'unzip) 


Radare2. Options 


clear register 


IN 9x ( 1 : store register to I/0 location 
e ~/ radarerc a È CE 
X ) "29, 0x0% ; LDI Rd,K. load ir a 
9x00( 2 2 ; store register /0 location 
à d ib ) ) 8 ; store register to 1/0 location 
m = 9x0 0076 1 ; LDI Rd,K. load immediate 
e as . escri e true )» )7 € ] x0€ ; LDI Rd,K. load immediate 
) : D) ; LDI Rd,K. load immediate 
LDI Rd,K. load immediate 


— 0x 007e "3 ; ; LDI Rd,K. load immediate 
ad e SCI. utf8=true 9x00000080 x86 ; relative jump 
0 fey: ; LPM. load programm memory 
x00( 4 LED, $ ; ST X,Rr. store indirect 
. ; JMP XREF ) 
eeasm midflags=true 00600086 ae: 6, 6: ee 
a 00000 r ; compare with y 
0x00( a ; branch if not equal 
( ( )8C 21 r18 ; LDI Rd,K. load immediate 
— 9x0 e È ; LDI Rd,K. load imme 
. e asm.emu-true 0x6 999€ ç ; LDI Rd,K. load immed 
0x ) ; relative jump 
ST X,Rr. store indirect 
from 0x0000 


i eco sola rized o = uit = | Ls e ; compare with — 


compare with car 


y 
branch if not equal 
LDI Rd,K. load immediate 
B ; LDI Rd,K. load immediate 
9, 0x00 ; LDI Rd,K. load immediate 
Oxac ; relative jump 
2 x02 ; substract immediate from word 
"28 ; copy reg er word 


fcn.00000000() ; long call to a subroutine 
00000a2 (fcn.00000000) 
f (68 ; comp with immediate 
aC re with carry 
branch if not equal 


Terminal 


ssembly 


Radare2. Interfaces in S 


Stack 
offset 1 5 8 01247099087 


/ S C | | VV e r14 0x00000080 9906000 
| ra e 90000080 000000 


80000000 


rdi 8x00000006 


* Visual panels — V! (vim like controls) 
* Web-server — r2 -c-H file 
* Bokken 


Disassembly 


TIT 
Hn 

MIN 

MUI 

Overview HH 
Heade HI 
Disassembly MIT 
HI 


Mt 
Hexdump HI 


Debugger 


Functions. HH 
Flags 

Search 

Script 


Comments 


WI 
WI 


WU 
VU 
VI 


Mt N movw 
WU 
HIHI 


AVR JTAG mkl 


Training kit content 


Arduino (not included) 


ESP8266 “WiFi to serial” 
Atmegal28 custom 
devboard 


Part 2: Pre-exploitation 


You have a device. First steps? 


Fuzz 
and/or 
static 
analysis 


Decide Determine W Search for Search for Acquire 


the 


what you target TÃO debug 


want platform point(s) point(s) firmware 


Let's start with a REAL example 


e Let's use training kit board as an example. 
* Imagine that you know nothing about it 
* We will go through all steps, one by one 


What we want? 


At first, decide what you want: 

e Abuse functionality 

* Read something from EEPROM/Flash/SRAM 
e Stay persistant 


Determine ta reet platform 
e Look at the board and search for all ICs... 


CP2102 Atmega128 16AU 


35334343442522322 ETE 
19 = ; 


KN 


p 


Se HA || CN 
ESP8266EX | ERES 


- 


Digikey/Octopart/Google... 


Atmega 128 16au - O 


& https://octopart.com/search?q=Atmega1 28%2016au 


Oct#part BOM Manager 
frere Currency: RUBv Sort by: Relevance | Pricg 


— RoHS compliant 
r "W Atmel 
ATMEGA128-16AU 
ATmega Series 16 MHz 128 KB Flash 4 KB SRAM 8-Bit Microcontroller - TQFP-64, © More Descriptions 


Categories 


> Cables and Wire 
> Connectors and Adapters 


> Current Filtering Distributor sku Stock MOQ Pkg 1 100 1,000 10,000 
> Enclosures * Femel 9171118 346 1 “Rus 1030.68 77231 70476 70476 Buy Now 
> Hydraulics 

> Indicators and Displays * Verical ATMEGA128-16A! 5647 3 Rus 637.43 63743 63743 Buy Now 
> industrial Control * DigiKey ATMEGA128-16AU-ND 3610 1 Tray «rue 972.60 751.55 61401 61401 Buy Now 
> Machining 

» Optoelectronics * Schukat ATMEGA128-16AU 13666 — 1 «sue 389.99 358.65 358.65 Buy Now 
> Passive Components * Avnet Express ATMEGA128-16AU 3228 1 crus 91871 69441 660.55 660.55 Buy Now 
> Pneumatics 

> Power Products Show more (24) 

> Raw Materials 


> las A 9 O See Details ©Specs 4 Realtime data 


> Sound Input/Output 
> Storage and Organization 


> Test Equipment Atmel 7 Datasheet + 
> Tools and Supplies => ATMEGA1280-16AU 
ATmega Series 16 MHz 128 KB Flash 8 KB SRAM 8-Bit Microcontroller - TQFP-100. © More Descriptions 

Manufacturer 

Mmi 8 Distributor SKU Stock MOQ Pkg 1 100 1,000 10,000 

TE Connectivity 3 * Farnell 1455090 110 1 *RUB 1085.00 57593 57593 575.93 Buy Now 

* Verical ATMEGA1280-16AU 2148 6 * RUB 599.17 59917 59917 Buy Now 

Distributor 


n * Avnet Express ATMEGA1280-16AU 4,548 1 ‚we 867.94 65347 62066 MEE ow 
Newark 6 Talk to Us! 4 
= Marinal a * Diai-Kev ATMEGA1280-16AU-ND 1.479 1 Trav crus 91124 70423 5 ow 


Search for I/O(s) 
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External connectors 
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Search for I/O 
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Bus pirate 


Saleae logic analyzer 


Arduino 


Search for debug interface(s) 
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Search for debug interface(s): tools 


W. © 


Or cheaper 


Jii taram : = 1 = 
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Jtagulator 


Arduino + JTAGEnum 


pyy 


JTAGEnum against 
Atmegal28 demoboard 


Search for debug & I/O: real device 


Connector ICS bus 
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Acquire the firmware 


* From vendor web-site © 
e Sniffing the update process 
e From device 


Acquire the firmware: sniff it! 


o X loply a display fit . 
No. A Time Source Destination Protocol Length Info 
109 34.1006750.. 169.254.21. 169.254.24.. TFTP 558 Data Packet, Block: 21 
110 34.2094460. 169.254.24.. 3169.254.21. TFTP 60 Acknowledgement, Block: 21 
111 34.2095950.. 169.254.21.. 169.254.24.. TFTP 558 Data Packet, Block: 22 
Frame 109: 558 bytes on wire (4464 bits), 558 bytes captured (4464 bits) o 
x 2 4b4a2 11 0x14 
» Ethernet II, Src: DavicomS 42:81:95 (00:60:6e:42:81:95), Dst: AbbStotz 62: 0 0000 6ae ded a ca 0 368 
> Internet Protocol Version 4, Src: 169.254.211.110 (169.254.211.110), Ds 0x000026b2 602a or r6, r16 
» User Datagram Protocol, Src Port: 69 (69), Dst Port: 1024 (1024) 0x000026b4 712a or rf, rif 
Trivial File Transfer Protocol 
0x000026b6 822a or r8, r18 
0000 00 Oc de 62 50 6b 00 60 6e 42 81 95 08 00 45 00 ... S "T 0x000026b8 932a or r9 r19 
0010 02 20 01 Oc 00 00 80 11 00 00 a9 fe d3 Ge a9 fe e Masan vuoan se d 
0020 f7 93 00 45 04 00 02 Oc 21 1d 00 03 00 15 6a on cus j. 0x000026ba 8882 Y, r8 
0030 7b 82 8c 82 9d 82 cc 24 dd 24 8f co ee 24 SEE ETETETT o$ece$_c 0x000026bc 9982 Y+1 rg 
` > 


0040 40 eð 5f ef 60 eb 70 ed a 81 1b 81 2c 81 enne 
0050 04 23 15 23 26 23 37 23 88 el 90 ed Ba JA 0e 94 #.#6#7# ........ 0x000026be 9301 movw r18, r6 


0060 a2 a2 18 01 29 01 4f ef 50 ed 60 rre Fa + 0x000026c0 2501 movw r16, r19 


0070 1b 81 2c 81 3d 81 04 23 15 23 


0080 90 ed Ba 93 0e 94 a2 a2 38 WS 01 62 28 73 28  ........ + È 0x000026c2 0e946956 call Oxacd2 
ed He : : nm 0x000026c6 = 0030 r16, 0x00 
debe IITIN . 0x000026c8 0107 cpc r16, r17 
mit O 0x000026ca  O9f4 0x26ce 
sora qne iii 0x000026cc = 05c0 rjmp @x26d8 
0100 EA O 0x000026ce e394 r14 

0110 44 24 55 24 Be 81 1f 81 28 85 39 85 02 Əd 13 1d D$US coe. (09.44 


0120 24 ld 35 1d 40 ed 5e ef 60 ed 70 ed 7a 93 6a 93 $.5.0.^. *.p.Z.j. 
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Acquire the firmware: JTAG or ISP 


* Use JTAG or ISP programmer to connect to the board debug ports 


e Use: 
e Atmel Studio 
e AVRDude 
* Programmer-specific software to read flash 


5 avrdude -p m128 -c jtagmkI -P /dev/ttyUSBO À 
-U flash:r:"/home/avr/flash.bin":r 


Acquire the firmware: lock bits 


e AVR has lock bits that protects device from extracting flash 


Mode [181 [isa | Protection Type 
[a pala] 


Unprogrammed, no protection enabled 


| 2 | o | 1 | Further Programming disabled, Read back possible 
| 3 | 0 | 0 | Further programming and read back is disabled 


* Removing this lockbits will erase entire device 


* |f you have them set, you're not lucky, try to get firmware from other 
sources 


* However, if you have lock bits set, but JTAG is enabled you could try partial 
restoration of firmware with avarice —capture (rare case) 


Exercise 2.0: Acquire! “XA Mp, 


Real hardware 


e Read fuses and lock bits using avarice -r 


e Acquire firmware using avrdude 


Firmware reversing: formats 


e Raw binary format 
e ELF format for AVRs 
e Intel HEX format (often used by programmers) 


e Could be easily converted between with avr-objcopy, e.g.: 


avr-objcopy -R .eeprom -O ihex test.elf "test.hex" 


Ex 2.1: Hello! RE AMD), 


Real hardware & Simulator 


cd /home/radare/workshop/ex2.1 


avr-objcopy -I ihex -O binary ex2.1.hex ex2.1.bin 
r2 -a avr ex2.l.bin 


Arithmetic instructions 


ada 
ada 
and 
GET 
INE 


neg 


Lyr? 
329 129 
E22] 
ELO 

rO 

ro 


Él 
EZO 
r2 
Flo 
EO 
rO 


IL 32 
[285 + EZO 
po. qu d 

0 

EO si dl 
ey 


Bit manipulation instructions 


lsl EU s 10 << 2 

St EI 21 32.2 

KOL 115 j eSclIcshite 210 Bits to Che 
Jed 

EOE 71-6 p vertice. sbatte. LO LES TO che 
EO 

ODE Elos] à Clear Dit. dn els 

sbr r Lo, 3 ; set Dits U and iL. in 276 


cbi Lo ul ; PORTB[1] = O 


Memory manipulation 


mov ri, 35 ; rl = r2 

ldi Oy LU > FU = 10 

lds r2,SFAOO ; r2 = *0xFA00 
sts SFAOO, r0 ; *0xFA00 = ro 
st Zip. EU ; *Z(r31:r30) = 
st = Tl > ie = TO 

std ATO, 72 s #245) = EZ 
in EIS. 216 ; 115 = PORTB 


out 516, r0 ; PORTB = r0 


Memory manipulation: stack 


push r14 ; Save rl4 on the Stack 


SPSS 


pop r15 7 Pop COD: Or Stack TO 115 


SP =SP + 1 


Memory manipulation: flash 


ipm 216, Z » rlo = *(r3l:r30), but from flash 


Figure 2-9. Program Memory Constant Addressing 


PROGRAM MEMORY 


Note: code is separated from data 


Unconditional jump/call 


jmp 
rjmp 


call 


ret 


SABC1 
5 


SABC1 


o 
, 


o 
, 


P OxABCI 
EG Eee 4 37 4 


"Push "PCI" 
jmp SABC 


“pop PC” 


Harvard architecture? But PC goes to DATA 
memory 


STORE PG ON 


ROP IS POSSIBLE! 


tor.net 


SREG — 8-bit status register 


= Garry lag 

— Zero flag 

— Negative flag 

two” s complement oVerflow indicator 
- NOV, for Signed tests 

= Half carry flag 

= Transfer bit (BLD/BOT) 

- global Interrupt enable/disable flag 


H A IE n < 2 N O 
| 


Conditional jump 


cpse EL». TO jä El == 72% 


breg T OA > GC uw PC us La LU 
brne ki ; IZ ? PC = PC + 1 + 10 


SREG manipulations 


e sec/clc — set/clear carry 
* sei/cli — set/clear global interruption flag 
e se*/cl* — set/clear * flag in SRGE 


Special 


* break — debugger break 

* nop — no operation 

e sleep — enter sleep mode 
e wdr — watchdog reset 


Ex 2.2: Blink! RE EX ‘Re 


Real hardware & Simulator 


cd /home/radare/workshop/ex2.1 


avr-objcopy -I xhex -0 binary blink.hex blink.bin 


r2 -a avr ex2.l.bin 


Questions: 


1. Identify main() function and describe it using af 
2. Find the LED switching command 

3. 
4 


. Locate interrupt vector and init code, explain what happens inside init code. 


What type of delay is used and why accurate frequency is required? 


Reversing: function szignatures 


e Most of firmwares contains zero or little strings. 

* How to start? 

e Use function signatures. 

e However, in AVR world signatures may be to vary. 


* Be prepared to predict target compiler/library/RTOS and options... or 
bruteforce it. 


* |n R2, signatures are called zignatures. 


Embedded code priorities 


e Size 

e Speed 

e Hardware limits 
e Redundancy 


* Security 


Fuzzing specifics 


e Fuzzing is Fuzzing. Everywhere. 
* But... we're in embedded world. 
* Sometimes you could detect crash through test/debug UART or pins 


* In most cases, you could detect crash only by noticing, that device is 
no longer response 


* Moreover, watchdog timer will could limit your detection capabilities, 
because it will reset device. 


e So how to detect crash? 


Fuzzing: ways to detect crash 


e JTAG debugger — break on RESET 
e External analysis of functionality — detect execution pauses 


* Detect bootloader/initialization code (e.g. for SRAM) behavior with 
logic analyzer and/or FPGA 


* Detect power consumption change with oscilloscope/DAQ 


Sometimes Arduino is enough to detect 


e |2C and SPI init sequencies could be captured by Arduino GPIOs 


e |f bootloader is slow and waits “1 second, this power consumption 
reduction could be reliably detected with cheap current sensor, e.g.: 


SparkFun Low Current Sensor Breakout - ACS712 
https: //www.sparkfun.com/products/8883 


pyy 


Let's proof it. 


Part 3: Exploitation 


Quick intro to ROP-chains 


* Return Oriented Programming 
e Series of function returns 


e We're searching for primitives (“gadgets”) ending with ‘ret’ that could 
be transformed into useful chain 


e SPis our new PC 


Notice: Arduino 
e The next examples/exercises will be based upon Arduio ‘libc’ (in fact, 
Non-GNU AVR libc + Arduino wiring libs) 


e We're using Arduino because it's complex, full of gadgets but free 
(against IAR or CV which are also complex and full of gadgets) 


e Also, Arduino is fairly popular today, due to enormous number of 


libraries and “quick start” (e.g. quick bugs) 


ARDUINO 


Ex 3.1 — 3.3 


Real hardware 


cd /home/radare/workshop/ex3.1 
avarice --mkI --jtag /dev/ttyUSBO -p -e --file build-crumbuino128/ex3.1.hex -g :4242 


avr-gdb 


Simulator 


cd /home/radare/workshop/ex3.1 simulator 
simulavr -P atmegal28 -F 16000000 -f build-crumbuino128/ex3.1.elf 


avr-gdb 


Or: node exploit.js 


EX4 M p I E 


Example 3.1: Abusing 
functionality: ret to function 


Internal-SRAM only memory map 


external RAM 


0x10FF 
0x1100 
OXFFFF 


o 
o 
= 
O 

bas 
o 


on—board RAM 


im SP L RAMEND 
*( brkval) (<= "SP - *(__malloc_margin)) 
i *(_malloc_heap_stan) == __heap_start 
. bss end 
. data end ==  bss start 
data start 


Overflowing the heap => Rewriting the stack! 


http://www.atmel.com/webdoc/AVRLibcReferenceManual/malloc 1malloc intro.html 


How to connect data(string/binary) to code? 


Standard model: with .data 
variables 


e Determine data offset in flash 


e Find init code/firmware prologue where 
«data is copied to SRAM 


e Using debugging or brain calculate offset of 
data in SRAM 


e Search code for this address 


Economy model: direct read with 
Ipm/elpm 

e Determine data offset in flash 

e Search code with *lpm addressing to this offset 


ABI, Types and frame layouts (GCC) 


e Types: standard (short == int == 2, long == 4, except for double (4)) 
e Int could be 8bit if -mint8 option is enforced. 

e Call-used: R18-R27, R30, R31 

e Call-saved: R2-R17, R28, R29 

e R29:R28 used as frame pointer 


e Frame layout after function prologue: 


incoming arguments 


stack slots, Y+1 points at the bottom 


Calling convention: arguments 


e An argument is passed either completely in registers or completely in memory. 


e To find the register where a function argument is passed, initialize the register 
number R, with R26 and follow this procedure: 


1. 
2. 
3. 


6. 


If the argument size is an odd number of bytes, round up the size to the next even number. 
Subtract the rounded size from the register number R,. 


If the new R, is at least R18 and the size of the object is non-zero, then the low-byte of the argument is 
passed in R,. Other bytes will be passed in R,,,, R,» etc. 


If the new register number R, is smaller than R18 or the size of the argument is zero, the argument will 
be passed in memory. 


If the current argument is passed in memory, stop the procedure: All subsequent arguments will also 
be passed in memory. 


If there are arguments left, goto 1. and proceed with the next argument. 


e Varagrs are passed on the stack. 


Calling conventions: returns 


* Return values with a size of 1 byte up to and including a size of 8 
bytes will be returned in registers. 


* For example, an 8-bit value is returned in R24 and an 32-bit value is 
returned R22...R25. 


e Return values whose size is outside that range will be returned in 
memory. 


Example 


For 


Inte. tune: (char say. dong 0); 


e a will be passed in R24. 

e b will be passed in R20, R21, R22 and R23 with the LSB in R20 and the 
MSB in R23. 

* the result is returned in R24 (LSB) and R25 (MSB). 


EX4 M p I E 


Example 3.2: Abusing 
functionality: simple ROP 


ROP gadget sources 


e User functions 

e “Standard” or RTOS functions 
* Data segment © 

* Bootloader section 


More code => more gadgets 


ROP chain size 


e It's MCU 

e SRAM is small 

e SRAM is divided between register file, heap and stack 

e Stack size is small 

e We're low on chain size 

e Obviously, you will be limited with 20-40 bytes (“15-30 gadgets) 
* However it all depends on compiler and memory model 


http://www.atmel.com/webdoc/AVRLibcReferenceManual/malloc_1malloc_tunables.html 


Memory maps — external SRAM/separated stack 


OXFFFF 


on—board RAM 5 E external RAM 


0x0100 


SP _f | | L *( malloc heap end)== heap end 
RAMEND *(_brkval) 


*(_malloc_heap_stan) == _heap_ stan 
to ..bss end 
— data end ==_ bss stan 
data start 


Memory maps — external SRAM/mixed stack 


external HAM 
z ks g TE 
E on-board RAM = ed ca LL 
Didi a a a 


SP | L 'i malloc heap end) == heap end 
RAMEND “| brkval) 
bes end *[ malloc heap star) == heap start 


data end == bes start 


data start 


Detecting “standard” functions 


e In AVR we have bunch of compilers, libraries and even RToSes 
e So, “standard” function could be vary. 


* More bad news: memory model and optimization options could 
change function. 


* The best approach is try to detect functions like malloc/str(n)cpy and 
then find the exact compiler/options that generates such code 


e After it, use function signatures to restore the rest of the code 


e In Radare2, you could use zignatures or Yara. 


EX4 M p I E 


Example 3.3: more complex 
ROP 


Exp n Cy Sr 


Exercise 3.1: ret 2 function 


build exploit that starts with ABC but calls switchgreen() function 


Exp n Cy Sr 


Exercise 3.3: print something 
else 


3.3.1) build exploit that prints “a few seconds...” 
3.3.2 (homework) build exploit that prints “blink a few seconds...” 


Ex 3.4 
Real hardware 


cd /home/radare/workshop/ex3.1 

in Blink.ino change APNAME constant from “esp 123” to “esp your3digitnumber" 

make 

avr-objdump -I ihex -O binary build-crumbuino128/ex3.4.hex ex3.4.bin 

avarice --mkI --jtag /dev/ttyUSB0 =p -e --file build-crumbuinol28/ex3.4.hex -g :4242 
avr-gdb 

Connect to “esp_your3digitnumber” and type http://192.168.4.1 in your browser 


Simulator 


cd /home/radare/workshop/ex3.4 simulator 
On 1* terminal: node exploit.js 
On 2"6 terminal: tail -f seriall.txt 


In your browser: http://127.0.0.1:5000 


E XA M p I E 


Example 3.4: Blinking 
through HTTP GET 


EXER CISp 


Exercise 3.4: UARTIng 
through HTTP query 


EXER CISp 


Exercise 3.5: Blinking 
througn HTTP Post 


It's possible to construct ROP with debugger... 
..But if | don't have some, how | could 
determine the overflow point? 


* Reverse and use external analysis to find function that 
overflows 


e Bruteforce it! 


E XA M p I E 


Arduino blink (ROP without 
debugger) 


Part 4: Post-exploitation 
&& Tricks 


What do we want? (again) 


e Evade watchdog 

e Work with persistent memory (EEPROM and Flash) 
e Stay persistent in device 

e Control device for a long time 


Evade the watchdog 


In most cases, there three ways: 
1. Find a ROP with WDR and periodically jump to it. 
2. Find watchdog disable code and try to jump to it. 


3. Construct watchdog disable code over watchdog enable code. 


0fb6 J Ox3f Set r18 to 0 and JMP here 
f894 cli 

a895 wdr 

81bd Ox21, 


Ofbe Ox3f, 
21bd 0x21, 
0895 ret 

0e9459 call 0xb2 


Fun and scary things to do with memory... 


* Read/write EEPROM (and extract cryptography keys) 
* Read parts of flash (e.g., reading locked bootloader section) — could 
be more useful than it seems 


* Staying persistent (writing flash) 


Reading EEPROM/Flash 


* Ok, in most cases it's almost easy to find gadget(s) that reads byte 
from EEPROM or flash and stores it somewhere. 


e We could send it back over UART or any external channel gadgets 


* Not always possible, but there are good chances 


Writing flash 


e Writing flash is locked during normal program execution 


* However, if you use “jump-to-bootloader” trick, you could write flash 
from bootloader sections. 


* To do this, you need bootloader of that has enough gadgets. 


* However, modern bootloaders are big and sometimes you could be 
lucky (e.g. Arduino bootloader) 


* Remember to disable interrupts before jumping to bootloader. 


“Infinite-ROP” trick* 


1. Set array to some “upper” stack address (A1) and N to some value 
(128/256/etc) and JMP to read(..) 


2. Output ROP-chain from UART to Al. 

3. Set SPH/SPL to A1 (gadgets could be got from init code) 
4. JMP to RET. 

Do Pe? 

6. Profit! 


Don't forget to include 1 and 3-4 gadgets in the ROP-chain that you are 
sending by UART. 


*Possible on firmwares with read(array, N) from UART functions and complex init code 


Mitigations 


Mitigations (software) 


* Safe code/Don't trust external data (read 24 deadly sins of computer 
security) 


* Reduce code size (less code -> less ROP gadgets) 


e Use rjmp/jmp instead of call/ret (ofc, it won't save you from ret2 
function) 


* Use “inconvenient” memory models with small stack 

e Use stack canaries in your RTOS 

* Limit external libraries 

* Use watchdogs 

* Periodically check stack limits (to avoid stack expansion tricks) 


Mitigations (hardware) 


e Disable JTAG/debuggers/etc, remove pins/wires of JTAG/ISP/UART 
e Write lock bits to 0/0 

e Use multilayered PCBs 

e Use external/hardware watchdogs 

e Use new ICs (more secure against various hardware attacks) 

e Use external safety controls/processors 


And last, but not least: 
e Beware of Dmitry Nedospasov ;) 


Part 4: Post-exploitation 
&& Tricks 


Conclusions 


e RCE on embedded systems isn't so hard as it seems. 
e Abusing of functionality is the main consequence of such attacks 


* However, more scary things like extracting cipherkeys or rewriting the 
flash is possible 


e When developing embedded system remember that security also 
should be part of the Software DLC process. 


Books/links 


Benos A.B. Paspa6orka ycTpolicTB Ha MUKPOKOHTPONNEpax AVR 


et sims 


Atmega128 disasm thread: http://www.avrfreaks.net/forum/disassembly-atmega128-bin-file A 


Exploiting buffer overflows on arduino: http://electronics.stackexchange.com/questions/78880/exploiting- 


stack-buffer-overflows-on-an-arduino 


Code Injection Attacks on Harvard-Architecture Devices: http://arxiv.org/pdf/0901.3482.pdf 


Buffer overflow attack on an Atmega2560: http://www.avrfreaks.net/forum/buffer-overflow-attack- 
atmega2560?page=all 


Jump to bootloader: http://www.avrfreaks.net/forum/jump-bootloader-app-help-needed 


AVR Libc reference manual: 
http://www.atmel.com/webdoc/AVRLibcReferenceManual/overview loverview avr-libc.html 


AVR GCC calling conventions: https://gcc.gnu.org/wiki/avr-gcc 


Travis Goodspeed, Nifty Tricks and Sage Advice for Shellcode on Embedded Systems: 
https://conference.hitb.org/hitbsecconf2013ams/materials/D1T19620-9620Travis?620Goodspeed9620- 


%20Nifty%20Tricks%20and%20Sage%20Advice%20for%20Shellcode%200n%20Embedded%20Systems.pdf 


Pandora's Cash Box: The Ghost Under Your POS: https://recon.cx/2015/slides/recon2015-17-nitay- 


artenstein-shift-reduce-Pandora-s-Cash-Box-The-Ghost-Under-Your-POS.pdf 


Radare2. Links 


* http://radare.org 
* https://github.com/pwntester/cheatsheets/blob/master/radare2. 


md 


* https://www.gitbook.com/book/radare/radare2book/details 
* https://github.com/radare/radare2ida 


Any t) 


U 


Questions £ 


@dark_k3y 
@dukeBarman 
http://radare.org/r/ 


Digital 
Security 


Y) 


http://dsec.ru http://eltech.ru http://zorsecurity.ru 


Now it's CTF time! © 
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